TechSpot

Google redirect, AV & IE damage

Solved
By tatterjack
Oct 13, 2011
  1. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Perms.txt

    GrantPerms by Farbar
    Ran by Russell Dobash at 2011-10-15 17:26:10

    ===============================================
    \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
     
  2. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Try to rename Combofix file to something else and see if you can copy it to your desktop.
     
  3. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Renaming combofix

    I renamed it to whatever.dud on the USB stick while on the other machine but got the same error when I tried to copy it on to the desktop of the compromised machine.

    Full error message:

    Cannot copy Whatever: Access is Denied

    Make sure the disk is not full or write-protected and that the file is not currently in use.

    Just a thought but McShield is still running. Although I can't turn it off I could possibly uninstall Mcafee.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    It can't be whatever.dud.
    It has to have .exe extension.
    whatever.exe will be fine.

    Try to do it in safe mode.
     
  5. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Renaming combofix

    Renaming to whatever.exe results in the same message.

    Safe mode wasn't working earlier but I will give it another try. It will have to be later as I have to go out now. Many thanks for your help so far.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    No problem :)
     
  7. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Safe Mode

    It still won't start in safe mode. It produces all the Multi(0), Rdisk(0) messages and then restarts.

    It's coming up to midnight here so I'll have to pick this up tomorrow.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop (be patient; it may take a while).
    • Accept license agreement and click "Start" button.
    • Click on Settings button [​IMG]
      • In Scan scope leave pre-checked items as they're and also checkmark My Computer
      • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
    • Click on Automatic Scan tab and then click on Start scanning button.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done NO log will be produced.
    • Click on Report button [​IMG] then on Automatic Scan report tab.
    • Right click anywhere within right pane, click Select All then right click again and click Copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.
     
  9. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Kasspersky

    Good morning Broni.

    I ran the install from the USB stick. It showed the extraction window and then the green installation window with the progress bar. After a few minutes the progress bar stopped and it has now hung like that for 30 minutes. The only activity in task manager is again the McAfee modules.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Going back to Combofix...
    Can you copy it to any other location than a desktop?
     
  11. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    copying combofix

    Fraid not.

    I tried various locations, my id, my docs, all users, windows etc. The behaviour is the same, the copying window appears for longer than normal, then the Access Denied message.

    BTW the virus is obviously still active. When I put the USB drive in it takes ages for Windows Explorer to appear. When it does these four files appear on the USB, then disappear within 2 seconds then 10 seconds later reappear ad infinitum.
    Copy of shortcut to (1)
    Copy of shortcut to (2)
    Copy of shortcut to (3)
    Copy of shortcut to (4)
    Curiously autorun.inf hasn't reappeared.

    I could try running it from the USB drive but if it is preventing it being moved I don't hold much hope of running it.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop (be patient; it may take a while).
    • Accept license agreement and click "Start" button.
    • Click on Settings button [​IMG]
      • In Scan scope leave pre-checked items as they're and also checkmark My Computer
      • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
    • Click on Automatic Scan tab and then click on Start scanning button.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done NO log will be produced.
    • Click on Report button [​IMG] then on Automatic Scan report tab.
    • Right click anywhere within right pane, click Select All then right click again and click Copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.
     
  13. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Kaspersky

    This time it stopped during the extraction saying the setup file was corrupted. I reformatted the USB stick and downloaded Kapersky again.

    This time it installed, I made the settings changes and started the scan. One "Alarm" came up saying "A special disinfection process is required which demands the system reboot" I clicked "Yes perform the reboot." It continued finding about 19 infections and then spontaneously rebooted without giving me the chance to copy the report. On restart two minimised command prompts appeared, then the install window and then two EULA windows. In both of these there were transparent sections where buttons might have been. I may have clicked Start. A series of alarms came up in each of which I clicked Delete. The scan progress window appeared after the first couple of alarms. It then spontaneously rebooted again.

    On reboot a message appeared 15909212.exe "Windows cannot access the specified Device, Path or File. The EULA window has appeared again complete with buttons this time.

    Shall I Accept and Start?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Yes.........
     
  15. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Kaspersky

    This time looked like a repeat of the first time with an Alarm inviting me to let it perform a special disinfection which I pressed Yes to. The smaller windows announcing infections found come and go too fast to get details but one of them had a view report link which I pressed. While the scan was still running the right hand pane displayed a list of messages. I selected all using control-A (habit) and tried to copy but there was no right-click. Tried control-C and then tried to paste into a txt but at this point a message about something not being a windows application came up and the machine spontaneously rebooted.

    On restart four minimised command prompts with the following titles appeared
    _uninst_22500242
    _uninst_69380408
    _uninst_1590912
    _uninst_7234949
    and two messages saying Windows cannot access the specified device, path, or file with the following titles
    7234949.exe
    1590912.exe

    These are all still displayed and no other windows have appeared.

    Shall I OK the messages?

    It may have to be tomorrow but I can leave the machine running.

    Thanks for helping out over your weekend.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    You're welcome :)

    Go ahead and OK.
     
  17. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Clicked OK. Messages and command prompts disappeared. Nothing else appeared. Both CPU's running at 90% mostly Mcshield and FCPMS.exe (Freecom Personal Media suite, came with an external hard disk) I killed FCPMS and CPU returned to 0 but no Kaspersky so no report.

    I was running Kaspersky from the USB stick which has been corrupted again. Would it be worth copying to the desktop and running from there?
     
  18. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    combofix still stuffed

    Status

    I tried copying a renamed combofix to the desktop again with the same result.

    The extraneous files are still appearing on USB drives.
    McAfee icons are still missing and the Mcafee windows doesn't open
    IE behaviour the same, no search results appearing, address bar is still there,
    IP addresses still work but url's usually result in a blank page. However they do manage to retrieve the icon for the page.
    Opening Adobe reader this time caused Adobe 8 configuration window to appear at the end of which it opened without the plugin failure messages. pdf's still open in Word but I imagine changing file associations would cure that.

    I also notice several of the folders and registry keys reported deleted by the tools have reappeared.

    Also looking into the lack of safemode I see the safeboot reg key has been mostly obliterated and there are sites advising how it can be restored. Worth doing?
     
  19. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  20. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTLPE Scan

    OTL logfile created on: 10/18/2011 12:02:17 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.92 Gb Total Space | 113.36 Gb Free Space | 76.12% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2010/10/13 17:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2010/10/13 17:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
    SRV - [2010/10/13 17:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Auto] -- C:\WINDOWS\System32\mfevtps.exe -- (mfevtp)
    SRV - [2010/10/07 15:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2009/11/17 07:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2009/01/23 05:46:14 | 000,203,280 | ---- | M] () [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2004/03/29 11:08:16 | 000,049,152 | ---- | M] () [Auto] -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (mfeavfk01)
    DRV - File not found [Kernel | On_Demand] -- -- (MBAMSwissArmy)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (csmbrqkp)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2010/10/13 17:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/10/13 17:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2010/10/13 17:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2010/10/13 17:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
    DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
    DRV - [2010/10/13 17:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2010/10/13 17:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2010/10/13 17:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
    DRV - [2010/10/13 17:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/11/17 07:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2009/10/07 08:01:04 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2008/11/16 13:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/12/13 10:10:00 | 000,007,040 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Gonzales.sys -- (Gonzales)
    DRV - [2005/11/28 16:55:46 | 000,012,160 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Bonifay.sys -- (Bonifay)
    DRV - [2005/09/20 06:22:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
    DRV - [2005/08/02 18:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
    DRV - [2005/03/17 11:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/09/17 04:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?rd=1
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 74 E1 15 8A 27 CC 01 [binary data]
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/10/07 08:30:31 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/09/13 09:27:04 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110402175609.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKU\Russell_Dobash_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
    O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O4 - HKU\Russell_Dobash_ON_C..\Run: [{059917AA-2371-A9CF-E2EB-599F7AF29392}] C:\Documents and Settings\Russell Dobash\Application Data\Help\narrator.exe (Do you see yonder cloud thats)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico ()
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom)
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_22500242.lnk = C:\Documents and Settings\Russell Dobash\Local Settings\Temp\_uninst_22500242.bat ()
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_69380408.lnk = C:\Documents and Settings\Russell Dobash\Local Settings\Temp\_uninst_69380408.bat ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Russell_Dobash_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1243236794562 (MUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/07/10 07:30:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/10/16 18:17:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/16 15:13:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
    [2011/10/16 14:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Desktop\Graham
    [2011/10/15 11:50:26 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
    [2011/10/14 16:44:40 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/10/13 16:35:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\My Documents\My Videos
    [2011/10/13 16:35:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Administrative Tools
    [2011/10/13 13:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 13:11:28 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/10/13 13:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/10/10 07:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2011/10/08 11:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\PCHealth
    [2011/10/07 10:11:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi
    [2011/10/03 08:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
    [2011/09/28 08:41:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

    ========== Files - Modified Within 30 Days ==========

    [2011/10/17 17:45:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/10/17 17:02:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    [2011/10/17 16:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/10/17 12:08:04 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
    [2011/10/17 12:07:47 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/17 06:02:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    [2011/10/17 05:57:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/10/16 18:18:28 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2011/10/16 18:18:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/10/16 18:17:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/16 18:17:07 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/16 18:14:27 | 000,000,764 | -HS- | M] () -- C:\WINDOWS\7234949drv.spi
    [2011/10/16 15:27:14 | 000,001,312 | -HS- | M] () -- C:\WINDOWS\1590912drv.spi
    [2011/10/16 14:58:30 | 000,000,841 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_22500242.lnk
    [2011/10/16 06:54:49 | 000,000,841 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_69380408.lnk
    [2011/10/15 05:41:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/10/14 05:56:03 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/10/14 05:56:03 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/10/13 13:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 13:09:53 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 05:53:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/07 10:24:00 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2011/10/03 08:39:20 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/10/03 08:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
    [2011/09/28 09:45:42 | 003,052,387 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 08:41:43 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 08:35:19 | 000,327,348 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/28 08:27:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/09/27 10:13:48 | 000,077,521 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf

    ========== Files Created - No Company Name ==========

    [2011/10/17 12:07:47 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/16 18:17:08 | 000,114,035 | --S- | C] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/16 18:12:29 | 000,000,764 | -HS- | C] () -- C:\WINDOWS\7234949drv.spi
    [2011/10/16 15:20:25 | 000,001,312 | -HS- | C] () -- C:\WINDOWS\1590912drv.spi
    [2011/10/16 14:58:30 | 000,000,841 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_22500242.lnk
    [2011/10/16 06:54:49 | 000,000,841 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_69380408.lnk
    [2011/10/13 13:09:51 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 05:53:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 08:36:43 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\R2D2- LIBRARY- ALL REFS 29Aug2011 Copy Copy Copy.enl
    [2011/09/29 08:27:14 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\R2D2- all.refs Note7, aug29.enl
    [2011/09/29 05:48:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/09/28 09:45:42 | 003,052,387 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 08:41:43 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 08:35:19 | 000,327,348 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/27 10:13:48 | 000,077,521 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
    [2011/07/17 14:48:30 | 000,001,052 | R--- | C] () -- \reatogoMenu.ini
    [2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP.SP2
    [2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP
    [2010/03/09 09:26:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2009/11/17 07:08:34 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2009/11/17 07:07:44 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2007/09/05 09:54:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\fusioncache.dat
    [2007/06/25 09:23:50 | 000,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2007/06/25 09:23:39 | 000,001,359 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
    [2007/06/25 09:19:34 | 000,093,585 | ---- | C] () -- C:\WINDOWS\hppins03.dat
    [2007/06/25 09:19:34 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat
    [2007/06/25 06:08:57 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
    [2007/06/25 06:08:57 | 000,000,526 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
    [2007/06/23 06:15:56 | 000,000,074 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
    [2007/06/23 06:10:16 | 000,093,474 | ---- | C] () -- C:\WINDOWS\hppins03.dat.temp
    [2007/06/23 06:10:16 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat.temp
    [2007/03/16 10:33:58 | 000,000,072 | ---- | C] () -- C:\WINDOWS\hdkctnts.ini
    [2006/12/02 06:52:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
    [2006/09/20 08:38:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll
    [2006/09/20 08:38:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
    [2006/08/28 09:04:31 | 000,000,473 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
    [2006/08/28 09:04:31 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
    [2006/08/24 07:15:21 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/07/10 08:11:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/07/10 08:10:48 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/07/10 07:42:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/07/10 07:32:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/07/10 07:27:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2006/03/24 07:06:41 | 000,000,053 | R--- | C] () -- \AUTORUN.INF
    [2005/07/16 17:36:50 | 000,240,128 | R--- | C] () -- \reatogoMenu.exe
    [2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 08:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 08:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/07/06 11:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== LOP Check ==========

    [2011/10/05 12:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
    [2011/10/03 08:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\EndNote
    [2007/11/28 13:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Leadertech
    [2010/09/20 08:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\MSNInstaller
    [2009/12/21 13:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Tatara Systems
    [2009/12/21 12:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
    [2010/03/09 09:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
    [2010/03/09 09:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS

    ========== Purity Check ==========


    < End of report >
     
  21. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    DRV - File not found [Kernel | System] -- -- (csmbrqkp)
    O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O4 - HKU\Russell_Dobash_ON_C..\Run: [{059917AA-2371-A9CF-E2EB-599F7AF29392}] C:\Documents and Settings\Russell Dobash\Application Data\Help\narrator.exe (Do you see yonder cloud thats)
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_22500242.lnk = C:\Documents and Settings\Russell Dobash\Local Settings\Temp\_uninst_22500242.bat ()
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_69380408.lnk = C:\Documents and Settings\Russell Dobash\Local Settings\Temp\_uninst_69380408.bat ()
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    [2011/10/16 15:13:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
    [2011/10/07 10:11:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi
    [2011/10/16 18:17:07 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/16 18:14:27 | 000,000,764 | -HS- | M] () -- C:\WINDOWS\7234949drv.spi
    [2011/10/16 15:27:14 | 000,001,312 | -HS- | M] () -- C:\WINDOWS\1590912drv.spi
    [2011/10/16 14:58:30 | 000,000,841 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_22500242.lnk
    [2011/10/16 06:54:49 | 000,000,841 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_69380408.lnk
    
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into Windows.
     
  22. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTLPE FIX Output

    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\csmbrqkp deleted successfully.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\LmlLhkfv deleted successfully.
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe moved successfully.
    Registry value HKEY_USERS\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\{059917AA-2371-A9CF-E2EB-599F7AF29392} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{059917AA-2371-A9CF-E2EB-599F7AF29392}\ not found.
    C:\Documents and Settings\Russell Dobash\Application Data\Help\narrator.exe moved successfully.
    C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_22500242.lnk moved successfully.
    C:\Documents and Settings\Russell Dobash\Local Settings\Temp\_uninst_22500242.bat moved successfully.
    C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_69380408.lnk moved successfully.
    C:\Documents and Settings\Russell Dobash\Local Settings\Temp\_uninst_69380408.bat moved successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe deleted successfully.
    File C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe not found.
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi folder moved successfully.
    C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi folder moved successfully.
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe moved successfully.
    C:\WINDOWS\7234949drv.spi moved successfully.
    C:\WINDOWS\1590912drv.spi moved successfully.
    File C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_22500242.lnk not found.
    File C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\_uninst_69380408.lnk not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File\Folder C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe not found.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 10182011_011531
     
  23. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Just Rebooted windows normally and tried IE and Google.So far so good. Opened 3 tabs normally. Trying to close them though brought up the "End Progam" window. A second attempt has left the machine hanging. Can't even get task manager to end iexplore.

    I'm sorry Broni but I'll have to sign off till tomorrow. My brain doesn't work well at this time of night.
     
  24. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Eventually it calmed down enough to get to task manager. It looks as though Mcshield was having a tizzy again. I still couldn't exit from IE normally but I could end the iexplores via task manager and close the machine normally.

    Other icons are back in the notification area but not McAfee and attempting to start Mcafee from All Programs has no effect. goodnight.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,992   +271

    Boot back to OTLPE CD and create another "Quick scan" log.
    I want to see if what was supposed to be gone really is.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.